HHS Reforms HITECH Act Penalties for HIPAA Breaches
The Department of Health and Human Services has published a notification of enforcement discretion in relation to the civil monetary penalties that are applied when breaches of HIPAA compliance rules are identified and will be bringing down reducing the maximum financial penalty for three of the four penalty levels.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 raised the penalties for HIPAA breaches. The new penalties were calculated based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether steps were voluntarily taken to address any violations.
The 1st penalty tier applies when a covered entity or business associate is not conscious that HIPAA Rules were breached and, by applying a reasonable level of due diligence, would not have known that HIPAA was being broken.
The 2nd tier applies when a covered entity knew about the violation or would have known had an acceptable level of due diligence been exercised, but when the violation falls short of knowing neglect of HIPAA Rules.
The 3rd penalty tier comes into play when there was willful neglect of HIPAA Rules, but the covered entity corrected the issue within 30 days.
The 4th tier when there was willful neglect of HIPAA Rules and no steps were taken to address the problem in a timely manner.
The highest fine across all four tiers was set at $1.5 million for breaches of an identical provision in a single calendar year.
On January 25, 2013, the HHS put in place an interim final rule (IFR) and put in place the new penalty structure, but thought at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS decided at the time that the most sensible reading of the law was to apply the same highest penalty cap of $1,500,000 across all four penalty levels.
The HHS has now looked over the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four levels to better reflect the level of culpability. The lowest and highest amounts in each tier will remain unchanged.
The HHS will make public its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion places zero no legal obligations and no legal rights. Due to this, it is not necessary for it to be looked over by the Office of Management and Budget.
The new penalty caps will be put in place by the HHS for now and will continue to be adjusted yearly in order to account for inflation. The HHS predicts it will engage in more rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.